Infrastructure Security Stats


There were a number of interesting statistics cited at the Critical Infrastructure Protection Conference in Calgary, Sept 8th/9th, 2008:

  • 5.5 – the percentage of an average enterprise IT budget that should be spent on information security. (Yogen Appalraju, VP, Telus Security Solutions)
  • 26 – the percentage of identity data breaches that occur in the Education sector, highest among all industry sectors. (Dean Turner, Sr. Editor, Symantec Interet Security Threat Report)
  • 46 – average length of time, in days, it takes to patch an enterprise business application after a security vulernability is discovered. (Dean Turner, Symantec)
  • 52 – percent of problems in SCADA systems caused by lack of operating system hardening. (Michael James Martin, Senior Managing Consultant, IBM)
  • 75 – percent of oil and gas pipelines controlled by SCADA systems. (Brian Phillips, Director, Bell Canada)
  • 99.9999 – common availabilility expectation, in percent, of a SCADA control system. (Venkat Pothamsetty, Industrial Security Architect, Cisco Systems)
  • 245 – number of police offices in Canada dedicated to e-crime, out of a total police population of 62,000… (Brian Phillips, Bell)
  • 679 – number of US reported data breaches so far in 2008. (Patrick Gray, Senior Security Strategist, Cicso Systems)
  • 321,429 – The average cost, in US dollars, of a security breach for a government organization (Yogen Appalraju, Telus)
  • 500,000 – number of miles of pipelines in North America. (Brian Phillips, Bell)
  • 15,000,000 – amount, in US dollars, that Choicepoint was fined for failing to report data breaches. (Patrick Gray, Cicso)
  • 348,000,000 – number of attacks on utilities, January to June, 2008.  (Dean Turner, Symantec)


Calgary Security Conference Highlights

Last week I attended the 1st Annual Critical Infrastructure Protection Conference in Calgary.  It was the first year of the event so the attendance was a bit low, but the quality of speakers was excellent:

  • Stephen Flynnis Barack Obama’s Homeland Security Advisor and author of The Edge of Disaster.  He offered a captivating presentation on infrastructure security, arguing convincingly that the new battle-space is no longer military, but rather in civil infrastructure and economic zones.  But, despite the hype around national security, the larger threats of extreme weather, pandemic flu and other natural disasters should be of a greater focus for government security and readiness.  He believes in building in resiliancy– robustness, resourcefulness and recovery — into critical infrastructures to limit the impact of disruption, whether that disruption comes from man or nature.  A benefit of this approach is that it empowers individuals to act proactively and reactively against threats in ways that have not yet properly been explored.
  • Patrick Grey, the Senior Security Strategist at Cisco and a 20 year FBI veteran, spoke on a variety of Internet security topics.  He maintains that the biggest threats — bots, phishing and other malware — can be best defeated by user education and awareness.  75% of network breaches are due to human factors.  He also notes a change in the type of attacks being witnessed.  A few years ago, crippling worms were fairly common, and widespread network attacks proved difficult to prevent.  Now, hackers are much more economically motivated and specific targets (e.g. financial organizations) are being attacked in systematic ways.  Data breaches are now being tracked (primarily due to mandatory reporting legislation in most US states) and significant actions are being taken against companies that leave information exposed and do not report it to authorities.  For example, Choicepoint was fined $15 million for a data breach that affected 163,000 people.
  • Michael Legary, Founder and Chief Innovation Office at Seccuris Inc., spoke on the vulnerabilities found in virtualized environments (servers and virtual appliances).  He contends that there are often poor controls ‘at the boundary’of the virtual machine and the system hardware, with drivers available to allow hacker access to all components.  DOS-induced failures are possible, even with secured and managed applications, if VM maximum resources are not configured properly.  Vitual networks are inherantly complex, and are not anticipated in many network security architectures.  Several virtual machine rootkits — SubVirt and Blue Pill are examples — now are available to compromise systems.  Security vulnerabilities in VMware, the leading solution of virtualization, are emerging; last week alone there were 16 security vulnerabilities documented.  Solutions lie in improving controls, among them: limiting access to the host; hardening the operating system; firewall VM service ports; disallow file sharing between hosts; VM monitoring and reporting; and time synchronization to one source (to support audit activities).  Finally, Mr. Legary challenged the lower TCO claims for virtualized services — actual delivery costs may be much higher if all security measure and risk avoidance costs are considered.
  • Barry Kokotailo, an independent security professional, provided an entertaining talk titled “Anti-Surveillance or How Not To Get Caught’.  A number of tools were demonstrated including: data scrubbers, steganography software to embed secret data in innocuous carrier files; secure and hidden data storage tools; anonymous SMS messaging sites; and assorted USB-based portable applications.

For a full list of speakers visit the Speakers’ Bios page.  I’ll post the link to presentations when they become available.